Professional Documents
Culture Documents
By Paul C. Rollins
Prepared For
George Mason University
Department of Electrical and Computer Engineering
Fairfax, Virginia
VLANs and Wireless VLANs
Paul C. Rollins ECE 636 Project Report
TABLE OF CONTENTS
1 INTRODUCTION ........................................................................................................................................ 2
1.1 VLANS ................................................................................................................................................... 2
1.2 VPNS ...................................................................................................................................................... 2
1.3 COMPARISON........................................................................................................................................... 3
2 VLANS.......................................................................................................................................................... 3
2.1 VLAN HISTORY ...................................................................................................................................... 3
2.2 VLAN PROTOCOLS ................................................................................................................................. 5
2.2.1 IEEE 802.1D................................................................................................................................... 5
2.2.2 IEEE 802.1Q................................................................................................................................... 5
2.2.3 Inter-Switch Link (ISL) .................................................................................................................... 6
2.2.4 IEEE 802.10.................................................................................................................................... 6
2.2.5 LAN Emulation (LANE)................................................................................................................... 6
2.3 VLAN SECURITY .................................................................................................................................... 7
2.3.1 Security Provided by VLANs............................................................................................................ 7
2.3.2 VLAN Weaknesses ........................................................................................................................... 8
2.3.3 Security Required in VLAN.............................................................................................................. 8
3 WIRELESS LANS (WLAN) ........................................................................................................................ 8
3.1 INTRODUCTION TO WIRELESS LANS......................................................................................................... 8
3.2 WIRELESS LAN PROTOCOLS .................................................................................................................... 9
3.3 WIRELESS LAN SECURITY ..................................................................................................................... 10
4 WIRELESS VLANS................................................................................................................................... 12
5 CONCLUSION........................................................................................................................................... 12
6 REFERENCES ........................................................................................................................................... 14
1 INTRODUCTION
The Virtual Local Area Network (VLAN) has quickly grown from a buzzword bandied about in
test labs and expert kernel-hacker news groups and chat rooms into a term networking almost as
common as hub, switch or VPN. The hype is big, and only growing.
The purpose of this project is to explore the state of the art in VLAN technology and protocols.
In particular the security offered by the protocols and the security implications of using the
protocols. Also a brief comparison of VLAN to the Virtual Private Networks (VPN) will be
given because of the common misunderstandings and confusion between the technologies.
1.1 VLANs
What is a VLAN? With the large number of proprietary VLAN implementations and solutions
that differ from each other in fundamental ways, this is a difficult question to answer. At their
most basic, common level, most experts agree that a VLAN is roughly equivalent to a broadcast
domain that is independent of physical location [4]. There may be multiple VLANs on a single
physical switch or a single VLAN may span multiple switches.
Standard physically defined broadcast domains are comprised of the machines locally connected
to hubs and switches that can communicate without their traffic traversing a router. In other
words, all machines that share a common router gateway interface are a broadcast domain.
VLANs can be used to break these physical broadcast domains into many virtual broadcast
domains.
In short, VLANs segregate physically connected machines into groups/domains that act as
though they were NOT physically connected.
1.2 VPNs
The openness and free availability of information and resources is one of the core strengths of
the Internet. It is also one of its primary weaknesses. Without adequate security protections, the
Internet can be a very dangerous way to communicate private or sensitive information. This
danger is increased by the convenience of such communication. VPNs are one of many security
mechanisms that attempt to solve some of these issues.
A VPN is used to provide security services to disparately located machines or networks, such
that their Internet communications are as safe (or more safe) than if they were communicating on
a Local Area network. The security services generally offered are user authentication, message
integrity and message confidentiality. VPNs are most often described as tunnels. The tunnels
protect the data within the tunnel. Tunnel endpoints can be located at an individual user’s
workstation (for road warriors, or home workers) or they can be located at a LAN gateway (for
connection of an entire LAN to the remote user or users).
VPNs attempt to aggregate machines that are physically separated into groups/domains that act
as though they are co-located.
1.3 Comparison
The concluding paragraphs in the above sections describe the fundamental difference between
VLANs and VPNs.
While:
VPNs attempt to aggregate machines that are physically separated into groups/domains that act
as though they are co-located.
2 VLANS
Throughout the years, increases in the numbers of hosts commonly on Local Area Networks
(LANs) and in the use of networked applications have caused enormous increases in the overall
amount of traffic on typical LANs. This increase in traffic caused congestion and collision
problems in the shared media world of Ethernet, the dominant LAN technology over the past
fifteen years. This led network managers to use routers and hubs to segregate their networks into
many subnets with fewer hosts on each. This idea was soon taken to its natural extreme by the
use of Ethernet switches, effectively putting each host on its own hub, virtually eliminating
collision problems altogether. Switches even started replacing non-gateway routers to a large
degree within many networks. The popularity of Ethernet switches grew quickly, because they
are both cheaper and faster than routers. This is due to the differences between operating at OSI
layer 2 verses OSI layer 3. In layer 3, the internetworking layer, where routers work, the
addressing element for TCP/IP networks is the IP address. Routing of the layer 3 packets is done
by an operation called a longest prefix match. This operation looks at the IP address, and finds
the route in the routing table that most closely matches the address being routed. This is a slow
and complex operation, which makes routers slow and costly. Layer 2 switching, which is what
switches do, is done by a simple table look-up operation. Table look-up operations are very fast,
and simple to implement.
Now, in Switched environments, even larger numbers of hosts were gathered on switches. Even
where hubs were used, the hubs were often then connected to switches. This huge increase led to
an equally huge increase in the amount “background” broadcast traffic (ARP, RIP,
NETBEUI…). This kind of background traffic was previously only a minor annoyance. But
increase in broadcast traffic due to the broad flat switched networks led to network managers to
want to, again, segment the switched network even further, so even broadcast traffic was limited
to going to as few unnecessary hosts as possible. They wanted to do this while leaving them
connected to the same physical switches. This is where the idea for Virtual LANs emerged.
First generation VLANs were limited to a single switch. Second generation VLANs were able to
support VLANs that span multiple switches. VLANs are implemented by software that resides
on the switches themselves. All switches involved in the VLAN structure must support the
VLAN protocol being used.
Most current VLAN protocols allow arbitrary combinations of these parameters to define VLAN
membership. Currently used VLAN protocols add the VLAN information to the layer 2 frame
by adding a “tag” containing the VLAN ID to each frame.
This history is important because it shows the specific motivations that led to the development of
VLAN protocols. After the first VLANs were being implemented, and standardization was
being seriously pursued other non-performance, related issues were raised, and other uses of
VLANs were brought up. Primarily of interest in this report is the use of VLANs to provide
security services.
VLAN 1
VLAN 5
H H H H
SW VLAN 2 SW
H H H
SW SW
VLAN 4
H H H H
VLAN 3
IEEE is the standards body doing the most active work in VLAN standardization. The IEEE
802.1 Internetworking Subcommittee is the specific group in charge of this technology area. In
March 1996 the subcommittee finished initial phase of investigation for developing VLAN
standards [1]. The IEEE work as well as other VLAN related standards are introduced briefly
below.
There are two MAC tagged frame structures defined in the standard, one for Ethernet and the
other for Token Ring/FDDI. The Ethernet “tag” consists of a two octet Tag Protocol Identifier
(TPID) and a two octet Tag Control Identifier (TCI). The Token Ring/FDDI “tag” has an eight
octet TPID and the same two octet TCI. The TPID identifies the frame as a tagged frame. The
TCI delivers user priority information as well as the actual VLAN Identifier (VID).
Within this kind of mixed technology environment VLANs can still exist. The primary
limitation is that with basic LANE implementations, all ATM connected machines that interface
to the Ethernet world through a given interface must belong to the same VLAN. This is due to
LANE implementation issues. This limitation can be avoided in more robust LANE
implementations that allow multiple LECs to be instantiated within the same physical switch or
device. This improvement comes at the cost of additional configuration and management. Note
that there is no limitation on VLAN usage by Ethernet connected hosts. If ATM is used only as
the backbone of the network, and there are no ATM connected hosts, LANE introduces no
limitations.
This section will discuss two issues. First, is the security features of VLANs. The second issue
is how to secure VLAN architectures.
One security implication is that VLAN software in Ethernet switches turns VLAN enabled
switches into a kind of firewall [4]. The introduction of VLAN technology into switches means
the switch must implement a routing function to do inter-VLAN communications. Theoretically,
the switch could forward packets to an external router for routing, but in reality, all major
implementations build a routing function into the switch. This software typically has packet
filtering capabilities. This security advantage is not a direct result of the VLAN technology, but
is definitely related.
Another implication is due to the reduction in the size of typical broadcast domains. VLAN
networks typically have much smaller broadcast domains than non-VLAN networks. This
makes eavesdropping attacks harder and less efficient to implement [4]. This is especially true
because VLANs are implemented through switches, which already provide a high level of
eavesdropping protection. The switch limits eavesdropping by limiting the visibility of standard
unicast traffic. VLANs improve this by also limiting the visibility of broadcast packets.
The third positive security implication is that the logical segregation provided by VLANs
provides a level of protection against “casual” attack [7]. One of the greatest threats in many
environments is from insider threats. Not only active malicious insiders are threats, but even the
“casual” or “bored” or “curious” insider. They are not intentionally attempting to do harm to the
organization, the are just testing their limits. They are just “poking around”. They can find
sensitive or private information. They can unknowingly disclose information they do not
understand the sensitivity of. Their access can trip auditors to impose penalties for allowing
improper access. If for some reason the “bored,” “casual” user becomes disgruntled, the
information gained could suddenly be used in more malicious ways.
The final implication has to do with VLAN membership tables. VLAN membership tables have
become a sort of Access Control List (ACL). Traffic can be dropped at the switch based on the
same parameters that can define VLAN membership. Most commonly these parameters include
MAC address, IP address and protocol usage. Most vendors have built a “safe mode” into their
products. In this mode, if you are not a member of a VLAN recognized by the switch, your
traffic is dropped. The typical VLAN architecture is configured with a “default.” If the switch
can not identify a host with any defined VLAN, its traffic is tagged for the default VLAN. This
feature must be turned off to enter safe mode.
Another weakness is the possibility of software bugs. Again this is not a weakness of the
architecture or protocols. It is an inevitable implementation weakness. Several existing products
were shown to allow “VLAN Hopping” where packets tagged for one VLAN ended up in a
different VLAN [10]. There is no way to avoid the possibility of these software errors. But this
is true for any technology, and has nothing to do with VLAN technology itself.
These services can be provided in the same way as they are in any other network environment.
User-Authentication and Access control can be provided by techniques such as: passwords,
challenge-response, callback, one-time passwords, Kerberos, RADIUS, tokens…
Access Control can be enforced by means of such techniques as ACLs, Operating System
controls, Auditing, good Authentication, traffic filtering, intrusion detection,…
Confidentiality and Integrity, probably the most talked about and recognized security services
can be enforced by such techniques as: IPSEC, VPN, Encrypted File Systems, File System
Integrity checkers, secure applications…
As with VLANs, wireless technologies are also growing in popularity. PDAs, Wireless phones,
laptop computers and other mobile computing devices are becoming more common, and
depended on in more important ways. Also, high-speed radio frequency (RF) broadcast and
reception technologies have made remarkable advances that makes their use in small mobile
battery operated devices is now feasible. Wireless networking makes traveling demonstrations
for salespeople at customer sites or conferences or expositions much easier. Their use even in
fixed location devices and applications also has significant advantages due to the lack of time,
effort and expense of wiring (and rewiring, and rewiring…) an office suite or building.
The general architecture used in most always in wireless LAN environments is to have multiple
WLAN enabled devices communicate through one or more Access Points (AP). The AP can be
a hardware appliance or software running on any WLAN enabled machine. Typically the AP is
wired to the network infrastructure to provide access to the local wired LANs or Internet. The
AP is analogous to a cellular base station or more loosely even to a wired Ethernet hub. The
figure [12] below is a typical wireless environment with two APs connected to a wired
distribution system (typically an Ethernet LAN) which provides full network access to the
wireless hosts.
One wireless LAN protocol dominates the industry; IEEE 802.11. 802.11 was first Adopted in
1997 [13] and has been since updated as 802.11b. The 802.11 standard covers the physical and
data link layers of the OSI model.
The standardized physical layer is based on radio RF broadcasting in the range of 2.4 GHz. The
exact frequencies used depend on the frequencies allocated by the political organizations in
various regions of the world. There are four standard data rates supported; 1Mbps, 2Mbps,
5.5Mbps and 11Mbps. Spread spectrum techniques are used. Frequency Hop Spread Spectrum
(FHSS) is supported at 1Mbps and 2Mbps. Direct Sequence Spread Spectrum (DSSS) is
supported at all four standardized frequencies. Typical indoor ranges between components are
listed at 150-300 feet and 1000 feet outdoors [14]. These ranges depend greatly on the
environment.
The data link layer is based largely on the 802.3 Ethernet frame format. 802.11 network
interface cards (NICs) have a globally unique 48 bit MAC address, exactly as 802.3 Ethernet
NICs. 802.11 WLANs use a Carrier Sense Multiple Access with Collision Avoidance
(CSMA/CA) almost identical the Ethernet Carrier Sense Multiple Access with Collision
Detection (CSMA/CD) technique.
On top of this Ethernet-like data link layer, however, the 802.11 committee created a security
protocol called Wired Equivalent Privacy (WEP) as a security protocol. WEP was designed to
improve the security of 802.11 networks to be roughly equivalent of their wired 802.3
counterparts. The primary goal of WEP was to prevent eavesdropping of the RF broadcasted
data with secondary goals of providing data integrity verification and a level of access control.
This basic level of security was seen as critical to make WLANs acceptable for use where even
moderate levels of security are needed. Higher security requirements were to be met by other
mechanisms such as IPSEC.
The following figure shows how to construct a WEP frame from an 802.11 frame. The original
802.11 frame is labeled in the figure as "Message." To this frame is added a 32 bit Cyclic
Redundancy Check (CRC) integrity checksum. This CRC is appended to the Message to form
the Plaintext to be encrypted. RC4 stream encryption is used. The RC4 algorithm is keyed using
the shared secret key, appended with an Initialization Vector (IV) shown as "v" in the figure.
The initialization vector and key identifier, along with the Ciphertext are transmitted as the
protected WEP frame.
Plaintext
Message CRC
Keystream = RC4(v,k)
IV,KeyID Ciphertext
Transmitted Data
Figure 3: WEP Frame Construction
WEP encryption is accomplished using RC4 stream encryption. The WEP standard calls for a 40
bit key. Vendors have already implemented 64 and 128 bit variations of WEP. Longer key
lengths are being designed into the next 802.11 version. The standard calls for four system wide
global keys and optionally a separate key for each host. Most implementations do not support
the option to have a key for each host. In practice, most all installations only use one key for an
entire network. These keys are also configured into devices through difficult manual processes
which means they are not changed often.
Unfortunately, there have been weaknesses found in the WEP protocol. Nikita Borisov, Ian
Goldberg and David Wagner are the researchers to originally discover and publish descriptions
of the following weaknesses and sample attacks based on the weaknesses [12].
The group published three general weaknesses. They also published many attacks based on
these fundamental weaknesses. The three weaknesses are:
1. The standard does not disallow IV(key) reuse
2. The CRC integrity checksum is a linear function of the message
3. The CRC integrity checksum is a an unkeyed function of the message
Weakness one leads to several means to derive short segments of the keystream, and repeatedly
use this known keystream segment to decrypt future packets that reuse the same IV. With a
known plaintext/ciphertext pair, the keystream can be directly computed. As it turns out, it is
quite easy to trick the network into encrypting or decrypting certain packets, broadcast packets
for instance, giving away portions of the key sequences one packet at a time. A patient attacker
can build up a dictionary of known IV/keystream pairs. The difficulty in changing keys means
that most operational systems use the same keys for months at a time. A rather complete
dictionary can be built up in a manner of days.
Weaknesses 2 leads to a fundamental problem. Arbitrary changes can be made to the message
and checksum, without detection. Because the checksum is a linear function of the message, two
methods can be used to make the checksum match a modified message: 1) a counter-acting
change to another part of the message can make the new message have the same checksum as the
original message or 2) a corresponding change to the checksum itself can be deterministically
computed based on the change made to the message. Another additional complication is caused
because the encryption itself is also linear. The message-altering attacks described above can be
done to the ciphertext, with no knowledge of the plaintext. Certain parts of the message may be
known, such as the IP addresses, and their placement is known within the packets. So IP
addresses (or other similarly predictable fields) can be modified, again, without any knowledge
of the key or plaintext necessary.
Weakness 3 leads to several more problems. Because the checksum is unkeyed, a attacker can
create checksums for messages where the plaintext is known. As soon as the attacker knows one
IV/keystream pair (based on weakness 1), packets can be inserted to the network at will. Access
Points are required to accept packets even if they reuse the same IV over and over again, or risk
noncompliance with the standard.
4 WIRELESS VLANS
Some fundamental parts of standard wired VLAN networking can not be duplicated in the
wireless world. The original goal or purpose to build VLANs was as a means to limit broadcast
domains. In the wireless world, there is no way to limit broadcast domains. This means that
even the parts of VLAN networking that do work, do so without the performance advantages
VLANs were designed to provide. In addition to not gaining the performance advantage of
VLAN use, the lack of the ability to limit which hosts have physical access to packets means
wireless VLANs lose the security advantages of VLANs also. The security can be improved by
using the key management features of WEP of using separate keys for each host, or at least using
all four system wide keys. Also, all wireless hosts interface to the wired network through a small
set of APs. This means that the dominant VLAN membership definition style, assignment of
VLAN membership by switch port, does not work, because multiple hosts connect through the
same switch port, via the AP. Physically mobile devices which roam among many APs (with
many different switch ports) further complicate the issue of VLAN assignment by switch port.
Other fundamental parts of VLAN networking remain unchanged in the IEEE 802.11 wireless
environment. Wireless networks can still use MAC address based membership schemes, because
IEEE 802.11 uses the exact same MAC addressing an Ethernet. Other lesser known membership
schemes, such as protocol based VLAN memberships, can also be used the same in wireless
networks as in wired networks.
5 CONCLUSION
VLANs successfully achieve their design goal of limiting broadcast traffic, and allowing larger
flat switched networks, eliminating the complexity, cost and performance problems of routers.
They even provide a moderate improvement in the security of a network. They do not provide
“strong” security, however. In an environment with the need of strong security, VLAN security
must be supplemented the same way standard LAN network security is supplemented. Only
through the use proven techniques such as strong cryptography can strong confidentiality,
integrity and authenticity be provided
WLANs provide convenience, quick and cheap installation and full network access for mobile
devices. WEP "raises the bar" in terms of security and the difficulty of mounting eavesdropping,
data modification and data insertion attacks. It does not provide the level of security intended by
the designers due to flaws in the designed protocol. But, even if the security goals of the
designers were met, this would only give wireless environments equivalent security as their basic
wired counterparts. As with VLANs, in an environment with the need of strong security, VLAN
security must be supplemented the same way standard LAN network security is supplemented.
Only through the use proven techniques such as strong cryptography can strong confidentiality,
integrity and authenticity be provided.
While these two technologies are promising independently, the do not work well together. They
can be made to co-exist, but the fundamental differences in the problems they were designed to
solve and the environments in which they were designed to operate, they do not mesh together in
any synergistic way.
6 REFERENCES
[1] Smith, Marina. Virtual LANs. McGraw Hill, New York, NY, 1998.
[2] Scott, Charlie, Wolfe, Paul, and Erwin, Mike. Virtual Private Networks, Second Edition. O’Reilly and
Associates, Inc., Sebastopol, CA, 1999.
[3] Perlmutter, Bruce, with Zarkower, Lonathan. Virtual Private Networking, a View From the Trenches. Prentice
Hall PTR, Upper Saddle River, NJ, 2000.
[4] Passmore, David and Freeman, John. The Virtual LAN Technology Report.
http://www.3com.com/nsc/200374.html, May 1996.
[5] Cisco Systems, INC. VLAN Standardization via IEEE 802.10. http://www.cisco.com/warp/public/537/6.html,
July 1995.
[6] Cisco Systems, INC. Cisco VLAN Roadmap. http://www.cisco.com/warp/public/538/7.html, April 1999.
[8] Ryan, Jerry. A Practical Gide to the Right VPN Solution. http://www.techguide.com, 2000.
[10] Taylor, David. Are there Vulnerabilites in VLAN Implementations?. SANS Institute,
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm, July 2000.
[11] Goldberg, Ian, Wagner, David, Borisov, Nikita. Intercepting Mobile Communicatons: The Insecurity of 802.11
DRAFT, http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf, 2001.
[13] Champness, Angela, IEEE 802.11 DSSS: The Path To High Speed Wireless Data Networking, http://www.wi-
fi.net/downloads/weca80211boverview.pdf, 2001.